ClawHub

Tally

v1.0.0

Create and edit Tally forms via API. Use when building surveys, feedback forms, or questionnaires programmatically. Supports all question types including text inputs, multiple choice, checkboxes, ratings (via workaround), and more.

1· 1.7k·1 current·1 all-time
byyuj es yoga@yujesyoga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the SKILL.md: it documents using the Tally.so REST API to create and edit forms and gives block schemas and curl examples. The functional intent is coherent with a Tally API helper.
!
Instruction Scope
The runtime instructions explicitly tell the agent to read an API key from ~/.config/tally/api_key, to write/read /tmp/backup.json and /tmp/form.json, and to run curl against api.tally.so. Reading the user's filesystem (home config) and writing to /tmp are outside what the manifest declares and widen the skill's effective scope.
Install Mechanism
No install spec or code files are present (instruction-only). This reduces installation risk because nothing is downloaded or written during install, but runtime instructions still perform network and local file actions.
!
Credentials
SKILL.md expects a TALLY_KEY (via cat ~/.config/tally/api_key and exporting TALLY_KEY) but the registry metadata declares no required env vars, no primary credential, and no required config paths. Requesting/using a local API key is reasonable for this skill, but it should be declared explicitly in the metadata; the omission is a proportionality/information gap.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. Autonomous invocation is allowed (platform default) but not, by itself, a red flag. The skill does instruct writing to /tmp at runtime (temporary backups), which is expected for a form update flow but should be disclosed.
What to consider before installing
This skill appears to implement the advertised Tally API usage, but its metadata omits credential/config requirements that the instructions clearly use. Before installing: confirm the skill's provenance (source/homepage), require the author to declare that it needs a Tally API key and the expected config path or accept a provided env var, and review the full SKILL.md (it was truncated in the manifest). If you proceed, store the Tally API key in a secure credential store or agent-managed secret (not an unprotected file), and be aware the skill will call https://api.tally.so and write temporary backups to /tmp. If anything looks suspicious after use, revoke the Tally API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749jz3s1c7kpgvg7hrhevesd8056jj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments